Security fix for invoice view.

[timetracker.git] / invoice_send.php

diff --git a/invoice_send.php b/invoice_send.php
index ee333a622487efdc83d26fd5ccd8e7628e5589eb..48bc14f072a55d61737cb912ae99c94fe6b1cec6 100644 (file)
--- a/invoice_send.php
+++ b/invoice_send.php
@@ -32,7 +32,7 @@ import('ttInvoiceHelper');
 import('ttSysConfig');
 
 // Access check.
-if (!ttAccessAllowed('manage_invoices') || !$user->isPluginEnabled('iv')) {
+if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) {
   header('Location: access_denied.php');
   exit();
 }